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Abstract. At CRYPTO 2013, Boneh and Zhandry initiated the study of 
quantum-secure encryption. They proposed first indistinguishability def¬ 
initions for the quantum world where the actual indistinguishability only 
holds for classical messages, and they provide arguments why it might 
be hard to achieve a stronger notion. In this work, we show that stronger 
notions are achievable, where the indistinguishability holds for quantum 
superpositions of messages. We investigate exhaustively the possibilities 
and subtle differences in defining such a quantum indistinguishability 
notion for symmetric-key encryption schemes. We justify our stronger 
definition by showing its equivalence to novel quantum semantic-security 
notions that we introduce. Furthermore, we show that our new security 
definitions cannot be achieved by a large class of ciphers - those which 
are quasi-preserving the message length. On the other hand, we pro¬ 
vide a secure construction based on quantum-resistant pseudorandom 
permutations; this construction can be used as a generic transformation 
for turning a large class of encryption schemes into quantum indistin¬ 
guishable and hence quantum semantically secure ones. Moreover, our 
construction is the first completely classical encryption scheme shown to 
be secure against an even stronger notion of indistinguishability, which 
was previously known to be achievable only by using quantum messages 
and arbitrary quantum encryption circuits. 


1 Introduction 

Quantum computers [NC00] threaten many cryptographic schemes. By using 
Shor’s algorithm [Sho94] and its variants [WatOl], an adversary in possession of a 
quantum computer can break the security of every scheme based on factorization 
and discrete logarithms, including RSA, ElGamal, elliptic-curve primitives and 
many others. Moreover, longer keys and output lengths are required in order to 

* An extended abstract of this work appears in the proceedings of CRYPTO 2016. 
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maintain the security of block ciphers and hash functions [Gro96,BHT97]. These 
difficulties led to the development of post-quantum cryptography [BBD09], i.e., 
classical cryptography resistant against quantum adversaries. 

When modeling the security of cryptographic schemes, care must be taken in 
defining exactly what property one wants to achieve. In classical security mod¬ 
els, all parties and communications are classical. When these notions are used 
to prove post-quantum security, one must consider adversaries having access to a 
quantum computer. This means that, while the communication between the ad¬ 
versary and the user is still classical, the adversary might carry out computations 
on a quantum computer. 

Such post-quantum notions of security turn out to be unsatisfying in cer¬ 
tain scenarios. For instance, consider quantum adversaries able to use quantum 
superpositions of messages a x |a;) instead of classical messages when commu¬ 
nicating with the user, even though the cryptographic primitive is still classical. 
This kind of scenario is considered, e.g., in [BZ13,DFNS14,Unrl2,Wat09,Zhal2]. 
Such a setting might for example occur in a situation where one party using 
a quantum computer encrypts messages for another party that uses a classical 
computer and an adversary is able to observe the outcome of the quantum com¬ 
putation before measurement. Other examples are an attacker which is able to 
trick a classical device into showing quantum behavior, or a classical scheme 
which is used as subprotocol in a larger quantum protocol. Another possibility 
occurs when using obfuscation. There are applications where one might want to 
distribute the obfuscated code of a symmetric-key encryption scheme (with the 
secret key hardcoded) in order to allow a third party to generate ciphertexts 
without being able to retrieve the key - think of this as building public-key en¬ 
cryption from symmetric-key encryption using Indistinguishability Obfuscation. 
Because in these cases an adversary receives the classical code for producing 
encryptions, he could implement the code on his local quantum computer and 
query the resulting quantum circuit on a superporition of inputs. Moreover, even 
in quantum reductions for classical schemes situations could arise where super¬ 
position access is needed. A typical example are impossibility results (such as 
meta-reductions [DFG13]), where giving the adversary additional power often 
rules out a broader range of secure reductions. Notions covering such settings 
are often called quantum-security notions. In this work we propose new quantum- 
security notions for encryption schemes. 

For encryption, the notion of semantic security [GM84,Gol04] has been tra¬ 
ditionally used. This notion models in abstract terms the fact that, without the 
corresponding decryption key, it is impossible not only to correctly decrypt a 
ciphertext, but even to recover any non-trivial information about the underlying 
plaintext. The exact definition of semantic security is cumbersome to work with 
in security proofs as it is simulation-based. Therefore, the simpler notion of ci¬ 
phertext indistinguishability has been introduced. This notion is given in terms 
of an interactive game where an adversary has to distinguish the encryptions of 
two messages of his choice. The advantage of this definition is that it is easier to 
work with than (but equivalent to) semantic security. 
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To the best of our knowledge, no quantum semantic-security notions for 
classical encryption schemes have been proposed so far. For indistinguishability, 
Boneh and Zhandry introduced indistinguishability notions for quantum-secure 
encryption under chosen-plaintext attacks in a recent work [BZ13]. They con¬ 
sider a model (IND-qCPA) where a quantum adversary can query the encrypting 
device in superposition during a learning phase but is limited to classical com¬ 
munication during the actual challenge phase. However, in the symmetric-key 
scenario, this approach has the following shortcoming: If we assume that an 
adversary can get quantum access in a learning phase, it seems unreasonable 
to assume that he cannot get such access when the actual message of interest 
is encrypted. Boneh and Zhandry showed that a seemingly natural notion of 
quantum indistinguishability is unachievable. In order to restore a meaningful 
definition, they resorted to the compromise of IND-qCPA. 


Our contributions. In this paper we achieve two main results. On the one hand, 
we initiate the study of semantic security in the quantum world, providing new 
definitions and a thorough discussion about the motivations and difficulties of 
modeling these notions correctly. This study is concluded by a suitable definition 
of quantum semantic security under chosen plaintext attacks (qSEM-qCPA). On 
the other hand, we extend the fundamental work initiated in [BZ13] in finding 
suitable notions of indistinguishability in the quantum world. We show that 
the compromise that had to be reached there in order to define an achievable 
notion instead of a more natural one (i.e., IND-qCPA vs. fqIND-qCPA) can be 
overcome - although not trivially. We show how various other possible notions 
of quantum indistinguishability can be defined. All these security notions span 
a tree of possibilities which we analyze exhaustively in order to find the most 
suitable definition of quantum indistinguishability under chosen plaintext attacks 
(qIND-qCPA). We prove this notion to be achievable, strictly stronger than IND- 
qCPA, and equivalent to qSEM-qCPA, thereby completing an elegant framework 
of security notions in the quantum world, see Figure 2 below for an overview. 

Furthermore, we formally define the notion of a core function and quasi¬ 
length-preserving ciphers - encryption schemes which essentially do not increase 
the plaintext size, such as stream ciphers and many block ciphers including AES - 
and we show the impossibility of achieving our new security notion for this kind 
of schemes. While this impossibility might look worrying from an application 
perspective, we also present a transformation that turns a block cipher into 
an encryption scheme fulfilling our notion. This transformation also works in 
respect to an even stronger notion of indistinguishability in the quantum world, 
which was introduced in [BJ15], and previously only known to be achievable in 
the setting of computational quantum encryption , that is, the scenario where all 
the parties have quantum computing capabilities, and encryption is performed 
through arbitrary quantum circuits operating on quantum data. Even if this 
scenario goes in a very different direction from the scope of our work, it is 
interesting to note that our construction is the first fully classical scheme secure 
even in respect to such a purely quantum notion of security. 
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The ‘frozen smart-card’ example. In order to clarify why quantum security 
allows the adversary quantum superposition access to classical primitives - as 
opposed to the case of post-quantum security - we give a motivating example. In 
this mind experiment, we consider a not-so-distant future where the target of an 
attack is a tiny encryption chip, e.g., integrated into an RFID tag or smart-card. 
It is reasonable to assume that it will include elements of technology currently re¬ 
searched but undeployed (i.e., extreme miniaturization, optical electronics, etc.) 
Regardless, the chip we consider is a purely classical device, performing classical 
encryption (e.g. AES) on classical inputs, and outputting classical outputs. 

Consider an adversary equipped with some future technology which subjects 
the device to a fault-injection environment, by varying the physical parameters 
(such as temperature, power, speed, etc.) under which the device usually oper¬ 
ates. As a figurative example, our ‘quantum hacker’ could place the chip into an 
isolation pod, which keeps the device at a very low temperature and shields it 
from any external electromagnetic or thermal interference. This situation would 
be analogous to what happens when security researchers perform side channel 
analysis on cryptographic hardware in nowaday’s labs, using techniques such as 
thermal or electromagnetic manipulation which were previously considered fu¬ 
turistic. There is no guarantee that, under these conditions, the chip does not 
start to show full or partial quantum behaviour. At this point, the adversary 
could query the device on a superposition of plaintexts by using, e.g., a laser 
and an array of beam splitters when feeding signals into the chip via optic fiber. 

It is unclear today what a future attacker might be able to achieve using 
such an attack. As traditionally done in cryptography, we assume the worst-case 
scenario where the attacker can actually query the target device in superposition. 
Classical security notions such as IND-CPA do not cover this scenario while our 
new notion qIND-qCPA does. This setting is an example of what we mean by 
‘tricking classical parties into quantum behaviour’. 

Related work. The idea of considering scenarios where a quantum adver¬ 
sary can force other parties into quantum behaviour has been first considered 
in [DFNS14]. Attacks exploiting classical encryptions in quantum superposition 
have been described in [KM10,KM12,KLLNP16,SS16]. In [BZ13] the authors 
also consider the security of signature schemes where the adversary can have 
quantum access to a signing oracle. Quantum superposition queries have also 
been investigated relatively to the random oracle model [BDF + 11]. Another 
quantum indistinguishability notion has been suggested (but not further ana¬ 
lyzed) by Velema in [Vell3]. Prior work has considered the security of quantum 
methods to encrypt classical data in the computational setting [Kos07,XY12]. 
In concurrent and independent work, Broadbent and Jeffery [BJ15] introduce 
indistinguishability notions for the public- and secret-key encryption of quan¬ 
tum messages in the context of fully homomorphic quantum computation. We 
refer to Page 16 for a more detailed description of how their definitions relate to 
our framework. A more complete overview for these notions, including semantic 
security for quantum encryption schemes, can be found in another concurrent 
work [ABF+16]. 
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2 Preliminaries 


In this section, we briefly recall the classical security notions for encryption 
schemes secure against chosen plaintext attacks (CPA). In addition, we revisit 
the two existing indistinguishability notions for the quantum world. We start by 
introducing notation we will use throughout the paper. 

We say that a function / : N —> R. is polynomially bounded iff there exists 
a polynomial p and a value n £ N such that: for every n > n we have that 
f(n) < p(n); in this case we will just write / = poly (n). We say that a function 
e : N —> R. is negligible , if and only if for every polynomial p, there exists an 
n p £ N such that e(n) < for every n > n p ; in this case we will just write 
e = negl ( n ). In this work, we focus on secret-key encryption schemes. In all that 
follows we use nSNas the security parameter. 

Definition 2.1 (Secret-key encryption scheme [Gol04]). A secret-key en¬ 
cryption scheme is a triple of probabilistic polynomial-time algorithms (Gen. Enc, 
Dec) operating on a message space M. = {0, l} m (where m = poly in) £ N) that 
fulfills the following two conditions: 

1. The key generation algorithm Gen(l") on input of security parameter n in 
unary outputs a bitstring k. 

2. For all k in the range of Gen(l n ) and any message x £ A4, the algorithms 
Enc (encryption) and Dec (decryption) satisfy Pr[Dec(fc, Enc(fc, x)) = x] = 1, 
where the probability is taken over the internal coin tosses of Enc and Dec. 

We write K, for the range of Gen(l") (the key space) and Encfc(x) for Enc(fc, x). 


2.1 Classical Security Notions: IND-CPA and SEM-CPA. 

We turn to security notions for encryption schemes. In this work, we will only 
look at the notions of indistinguishability of ciphertexts under adaptively cho¬ 
sen plaintext attack (IND-CPA), and semantic security under adaptively chosen 
plaintext attack (SEM-CPA), which are known to be equivalent (e.g., [Gol04]). 

Game-based definitions. In general these notions can be defined as a game 
between a challenger C and an adversary A. First, C generates a legitimate key 
running k <— Gen(l n ) which he uses throughout the game. The game starts 
with a first learning phase. A challenge phase follows where A receives a chal¬ 
lenge. Afterwards, a second learning phase follows, and finally A has to output a 
solution. The learning phases define the type of attack, and the challenge phase 
the notion captured by the game. We give all our definitions by referring to this 
game framework and by defining a learning and a challenge phase. 

The CPA learning phase: A is allowed to adaptively ask C for encryptions 
of messages of his choice. C answers the queries using key k. Note that this is 
equivalent to saying that A gets oracle access to an encryption oracle that was 
initialized with key k. 
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The IND challenge phase: A defines a challenge template consisting of two 
equal-length messages x 0 ,X\, and sends it to C. The challenger C samples a 
random bit b <— {0,1} uniformly at random, and replies with the encryption 
Encfc(xb). A’s goal is to guess b. 

Definition 2.2 (IND-CPA). A secret-key encryption scheme is said to be 
IND-CPA secure if the success probability of any probabilistic polynomial-time 
adversary winning the game defined by CPA learning phases and an IND chal¬ 
lenge phase is at most negligibly (in n) close to 1/2. 

The SEM challenge phase: A sends C a challenge template f m ) 

consisting of a poly-sized circuit S m specifying a distribution over m-bit long 
plaintexts, an advise function h m : {0, l} m —> {0,1}*, and a target function 
f m : {0, l} m — > {0,1}*. The challenger C replies with the pair (Enc k{x),h m (x)) 
where x is sampled according to S m . M’s challenge is to output f m (x). 

In the definition of semantic security it is not required that M’s probability 
of winning the game is always negligible. Instead, M’s success probability is 
compared to that of a simulator S that plays in a reduced game: On one hand, S 
gets no learning phases. On the other hand, during the challenge phase, S does 
not receive the ciphertext but only the output of the advice function. This use 
of a simulator is what makes the notion hard to work with in proofs as one has 
to construct a simulator for every possible A to prove a scheme secure. 

Definition 2.3 (SEM-CPA). A secret-key encryption scheme is said to be 
SEM-CPA secure if for any probabilistic polynomial-time adversary A there ex¬ 
ists a probabilistic polynomial-time simulator S such that the challenge templates 
produced by S and A are identically distributed and the success probability of A 
winning the game defined by CPA learning phases and a SEM challenge phase 
(computed over the coins of A, Gen, and S m ) is negligibly close (in n) to the 
success probability of S winning the reduced game. 

Semantic security models what we want an encryption scheme to achieve: 
An adversary given a ciphertext can learn nothing about the encrypted message 
which he could not also learn from his knowledge of the message distribution 
and possibly existing side-information (modeled by h m ). Indistinguishability of 
ciphertexts is an equivalent technical notion introduced to simplify proofs. 

2.2 Previous Notions of Security in the Quantum World 

We briefly recall the results from [BZ13] about quantum indistinguishability no¬ 
tions. We refer to [NC00] for commonly used notation and quantum information- 
theoretic concepts. Given security parameter n, let {%„}„ be a family of complex 
Hilbert spaces such that dim Ii n = 2 poly ( n ). We assume that contains all the 
subspaces where the message states, the ciphertext states and any auxiliary state 
live. For the sake of simplicity we will not make a distinction when writing that 
a state \<p) belongs to one particular subspace, and we will omit the index n 


6 


when the security parameter is implicit, therefore writing just \ip) £ TL. We will 
denote pure states with ket notation, e.g., | tp), while mixed states will be denoted 
by lowercase Greek letters, e.g. p. We start by defining what we call a classical 
description of a quantum state: 

Definition 2.4 (Classical Description). A classical description of a quantum 
state p is a (classical) bitstring describing a quantum circuit S which (takes no 
input but starts from a fixed initial state |0) and) outputs p. 

This definition will be used later in our new notions of security. We deviate 
here from the traditional meaning of ‘classical description’ referring to individual 
numerical entries of the density matrix. The reason is that our definition also 
covers the cases where those numerical entries are not easily computable, as 
long as we can give an explicit constructive procedure for that state. Clearly, 
every pure quantum state | <p) has a classical description (given by a description 
of the quantum circuit which implements the unitary that maps |0) to \tp). The 
classical description of a mixed state pA is given by the circuit which first creates 
a purification | p) ar of PA and then only outputs the A register. Note that a state 
admitting a classical description cannot be entangled with any other system. 

For encryption, following the approach in [BZ13] and many other works, we 
define the following: 

Definition 2.5 (Quantum Encryption Oracle [BZ13]). Let Enc be the en¬ 
cryption algorithm of a secret-key encryption scheme 8. We define the quantum 
encryption oracle U£ nCk associated with E and initialized with key k as (a family 
of) unitary operators defined by: 

UEnc k : 55 a *,y I s ) I y) ^ 55 ax ’y l x ) I y ® E nc k( x )) (!) 

x,y x,y 

where the same randomness r is used in superposition in all the executions of 
Encfe(a:) within one query 6 - for each new query, a fresh independent r is used. 

The first indistinguishability notion proposed in [BZ13] replaces all classical 
communication between A and C by quantum communication. A and C are now 
quantum circuits operating on quantum states, and sharing a certain number of 
qubits (the quantum communication register). The definition for the new security 
game is obtained from Definition 2.2 by changing the learning and challenge 
phases as follows: 

Quantum CPA learning phase (qCPA): A gets oracle access to UEnc k - 

Fully quantum IND challenge phase (fqIND): A prepares the communica¬ 
tion register in the state Xl y a *o, X i,y l^o) \ x i) \y), consisting of two w-qubit 
states (the two input-message superpositions) and an ancilla state to store the 

ciphertext. C samples a bit b <— {0,1} and applies the transformation: 

a xo , xuy \x 0 ) |zi) \y) ^ ^ ,y \xo) \x\) | y ® Enc fc (a:b)) . 

x 0 ,X!,y x 0 ,xi ,y 

6 As shown in [BZ13], this is not restrictive. 
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A’s goal is to output b. 

The resulting security notion in [BZ13] is called indistinguishability under 
fully quantum chosen-message attacks (IND-fqCPA). We decided to rename 
it to fully quantum indistinguishability under quantum chosen-message attacks 
(fqIND-qCPA) in order to fit into our naming scheme: It consists of a quantum 
CPA learning phase and a fully quantum IND challenge phase. 

Definition 2.6 (fqIND-qCPA). A secret-key encryption scheme is said to 
be fqIND-qCPA secure if the success probability of any quantum probabilistic 
polynomial-time adversary winning the game defined by qCPA learning phases 
and a fqIND challenge phase is at most negligibly close (in n) to 1/2. 

As already observed in [BZ13], this notion is unachievable. The separation 
by Boneh and Zhandry exploits the entanglement of quantum states, namely the 
fact that entanglement can be created between plaintext and ciphertext. 

Theorem 2.7 (BZ attack [BZ13, Theorem 4.2]). No symmetric-key en¬ 
cryption scheme can achieve fqIND-qCPA security. 

Proof. The attack works as follows: The adversary A chooses as challenge mes¬ 
sages the states |0 m ) and PI |0 m ) (where H denotes the m-fold tensor Hadamard 
transform), i.e. he prepares the register in the state J2 X 2^72 |0 m ,a:,0 m ). When 
the challenger C performs the encryption, we can have two cases: 

— if b = 0 , i.e. the first message state is chosen, the state is transformed into 

E 2^72 1°™ Encfc( 0 m )) = | 0 m ) « H | 0 m > 8 |Enc fc ((T)>; 

X 

— if b = 1 , i.e. the second message state is chosen, the state is transformed into 

E ^721 0 ™*’ Enc fc(*)> = i° m ) ® E ^72i*> EfCfcO®)) • 

X X 

Notice that in the second case we have a fully entangled state between the second 
and the third register. At this point, A does the following: 

1 . measures (traces out) the third register; 

2 . applies again U to the second register; 

3. measures the second register; 

4. outputs b' — 1 iff the outcome of this last measurement is 0 m , else outputs 0. 

In fact, if b = 0, then the second register is left untouched: By applying again the 
Hadamard transformation it will be reset to the state |0 m ), and a measurement 
on this state will yield 0 m with probability 1. If b = 1 instead, tracing out 
one half of a fully entangled state results in a complete mixture in the second 
register. Applying a Hadamard transform and measuring in the computational 
basis necessarily gives a fully random outcome, and hence outcome 0 m only with 
probability ^r, which is negligible in n, because m = poly(ra). □ 






Theorem 2.7 implies that the fqIND-qCPA notion is too strong. In order to 
weaken it, the following notion of indistinguishability under adaptively chosen 
quantum plaintext attacks was introduced: 

Definition 2.8 (IND-qCPA [BZ13]). A secret-key encryption scheme is said 
to be IND-qCPA secure if the success probability of any quantum probabilistic 
polynomial-time adversary winning the game defined by qCPA learning phases 
and a classical IND challenge phase is at most negligibly close (in n) to 1/2. 

In this definition, the CPA queries are allowed to be quantum, but the chal¬ 
lenge query is required to be classical. It has been shown that, under standard 
computational assumptions, IND-qCPA is strictly stronger than IND-CPA: 

Theorem 2.9 (IND-CPA IND-qCPA [BZ13, Theorem 4.8]). If clas¬ 
sically secure PRFs exist and order-finding in prime groups is classically hard, 
then there exists an encryption scheme £ which is IND-CPA secure, but not 
IND-qCPA secure. 


3 New Notions of Quantum Indistinguishability 

IND-qCPA might be viewed as classical indistinguishability (IND) under a quan¬ 
tum chosen plaintext attack (qCPA). The authors in [BZ13] resorted to this 
definition in order to overcome their impossibility result on one seemingly nat¬ 
ural notion of quantum indistinguishability (fqIND-qCPA) which turned out to 
be too strong. This raises the question whether IND-qCPA is the only possible 
quantum indistinguishability notion (and hence no classical encryption scheme 
can achieve indistinguishability of ciphertext superpositions) or if there exists a 
stronger notion which can be achieved. 

In this section we show that by defining fqIND-qCPA, there are many choices 
which are made implicitly, and that on the other hand there exist other possible 
quantum indistinguishability notions. We discuss these choices spanning a binary 
‘security tree’ of possible notions. Afterwards, we obtain a small set of candidate 
notions, eliminating those that are either ill-posed or unachievable because of 
the BZ attack from Theorem 2.7. In all these notions, we implicitly assume 
‘quantum CPA learning phases’, as in the case of IND-qCPA. However, we limit 
the discussion in this section to the design of a quantum challenge phase. In the 
end, we select a suitable ‘qIND-’notion amongst all the possible candidate ones. 


3.1 The ‘Security Tree’ 

To define a general notion of indistinguishability in the quantum world, we have 
to consider many different distinctions for possible candidate models. For exam¬ 
ple, can we rule out certain forms of entanglement? How? Does the adversary 
have complete control over the challenger device? Each of these distinctions 
leads to a fork in a ‘security-model binary tree’. We analyze every ‘leaf’ of the 
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tree'. Some of them lead to unreasonable or ill-posed models, some of them yield 
unachievable security notions, and others are analyzed in more detail. 

Game model: Oracle (O) vs. Challenger (C). This distinction decides how 
the game, and especially the challenge phase, is implemented. In the classical 
world, the following two cases are equivalent but in the quantum world they 
differ. In the oracle model, the adversary A gets oracle access to encryption and 
challenge oracles, i.e., he plays the game by performing calls to unitary gates 
01,..., O q . In this case A is modeled as a quantum circuit which implements a 
sequence of unitary gates Uq, ..., U q , intertwined by calls to the 0,’s. Given an 
input state |q?), the adversary therefore computes the state: 

U q O q ...U 1 O 1 U 0 \<p). 

The structure of the oracle gates Oi itself is unknown to A. who is only 
allowed to apply them in a black-box way. The fqIND notion uses this model. 

In what we call the challenger model instead, the game is played against 
an external (quantum) challenger. Here, A is a quantum circuit which shares 
a quantum register (the communication channel) with another quantum circuit 
C. The main difference is that in this case we can also consider what happens 
if C has additional input or output lines out of ,4’s control. Moreover, A does 
not automatically gain access to the inverse (adjoint) of quantum operations 
performed by C, and C cannot be ‘rewound’ by the adversary, which would be 
far too powerful possibilities. This scenario also covers the case of ‘unidirectional’ 
state transmission, i.e., when qubits are sent over a quantum channel to another 
party, and they are not available afterwards until that party sends them back. 
Regardless, in security proofs in the (C) model, it is still allowed for an external 
entity (e.g. a simulator, or a reduction) to rewind the joint circuit composed by 
adversary and challenger together, if need be. However, we are not aware of any 
known reduction involving rewinding in this form for encryption schemes in the 
quantum world. 

In order to keep consistency with this choice of the model, when also con¬ 
sidering qCPA queries, we implicitly assume the same access mode to the Encfc 
oracle as in the qIND game. That is, if we are in the ( O ) scenario, during the 
qCPA phase A has quantum oracle access to Encfc. In the (C) case, instead, 
superposition access to Encfc is provided to A by an external challenger. 

At first glance, the ( O ) model intuitively represents the scenario where A 
has almost complete control of some encryption device, whereas the ( C ) model is 
more suited to a ‘network’ scenario where A wants to compromise the security 
of some external target. 

Plaintexts: quantum states (Q ) vs. classical description (c). In the (Q) 

model, the two m-qubit plaintexts chosen by A for the challenge template can 
be arbitrary (BQP-producible) quantum states and can be entangled with each 
other and other states. In the (c) model, instead, A is only allowed to choose 
classical descriptions of two m-qubit quantum states according to Definition 2.4, 

' We do not rule out that some of them might eventually lead to the same model. 
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thus being only allowed to send classical information to C : the challenger C will 
read the states’ descriptions and will build one of the two states depending on 
his challenge bit b. 

In classical models, there is no difference between sending a description of a 
message or the message itself. In the quantum world, there is a big difference 
between these two cases, as the latter allows A to establish entanglement of 
the message(s) with other registers. This is not possible when using classical 
descriptions. It might intuitively appear that the ( Q ) model (considered for the 
fqIND-qCPA notion) is more natural. However, the (c) scenario models the case 
where A is well aware of the message that is encrypted, but the message is not 
constructed by A himself. Giving A the ability to choose the challenge messages 
for the IND game models the worst case that might happen: A knows that the 
ciphertext he receives is the encryption of one out of the two messages that 
he can distinguish best. This closely reflects the intuition behind the classical 
IND notions: in that game, the adversary is allowed to send the two messages 
not because in the real world he would be allowed to do so, but because we 
want to achieve security even for the best possible choice of messages from the 
adversary’s perspective. Hence, the (c) model is a valid alternative. Will further 
discuss the difference between these two models later. 

Relaying of plaintext states: Yes ( Y ) vs. No (n). If C is not relaying (n), 
this means that the two plaintext states chosen by A will not be ‘sent back’ to 
A (in other words: their registers will not be available anymore to A after the 
challenge encryption). In circuit terms, this means that at the beginning of the 
game, C will have (one or two) ancilla registers in his internal (private) memory. 
During the encryption phase, C will swap these register(s) with the content of 
the original plaintext register(s), hence transferring their original content outside 
of A’s control. 

If the challenger is relaying (Y) instead, this means that the two plaintext 
states will be left in the original register (or channel), and may be accessed by 
A at any moment. This is the model considered for fqIND. 

Again, the (Y) case is more fitting to those cases where A ‘implements locally’ 
the encryption device and has almost full control of it, whereas the (n) case is 
more appropriate when the game is played against some external entity which is 
not under A’s control. This is a rather natural assumption, for example, when 
states are sent over some quantum channel and not returned. We stress that 
this distinction in relaying is not trivial: it is not possible for A, in general, to 
simulate relaying by keeping internal states entangled with the plaintexts. As an 
example, consider the attack in Theorem 2.7: it is easy to see that this cannot 
be performed without relaying. 

Type of unitary transformation: (1) vs. (2). In quantum computing, the 
‘canonical’ way of evaluating a function fix) in superposition is by using an 
auxiliary register: 
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This way ensures that the resulting operator is invertible, even if / is not. We call 
this type-(l) transformations: if Enc^ is an encryption mapping ?n-bit plaintexts 
to i-bit ciphertexts, the resulting operator in this case will act on m + t qubits 
in the following way: 



where the y’s are ancillary values. This approach is also used for fqIND. 

In our case, though, we do not consider arbitrary functions, but encryptions, 
which act as bijections on some bit-string spaces (assuming that the randomness 
is treated as an input.) Therefore, provided that the encryption does not change 
the size of a message, the following transformation is also invertible: 



( 2 ) 


X 


X 


For the more general case of arbitrary message expansion factors, we will consider 
transformations of the form: 



where the length of the ancilla register is \y\ = |Encfc(cc)| — \x\ and y>x,o= Encfc(x) 
for every x - i.e., initializing the ancilla y register in the |0) state produces a 
correct encryption, which is what we expect from an honest quantum executor. 
One might ask what happens if the ancilla is not initialized to 0, and we leave the 
general case of arbitrary ancillas manipulation as an interesting open problem, 
but we stress the fact that this behavior is not considered in the case of honest 
parties. We call these type-(2) transformations 8 . 

Notice that, in general, type-(l) and type-(2) transformations are very differ¬ 
ent: having quantum oracle access to a type-(2) unitary U ^ and its adjoint also 
gives access to the related type-(2) decryption oracle UqJ c : J2 x ot x |EnCfc(a;)) i—» 
Y^ x a x 1^)- I n fact, notice that = ^Dec> w hil e the adjoint of a type-(l) 

encryption operator, is generally not a type-(l) decryption operator. In 

particular, type-(2) operators are ‘more powerful’ in the sense that knowledge of 
the secret key is required in order to build any efficient quantum circuit imple¬ 
menting them. However, we stress the fact that whenever access to a decryption 
oracle is allowed, the two models are completely equivalent, because then we 
can simulate a type-(2) operator by using ancilla qubits and ‘uncomputing’ the 
resulting garbage lines (see Figure 1) (as we will see, this will be the case for the 
challenger in our qIND notion). 

3.2 Analysis of the models 

By considering these 4 distinctions in the security tree we have 2 4 = 16 possi¬ 
ble candidate models to analyze. We label each of these candidate models by 

8 These are called minimal quantum oracles in [KKVB02]. 
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Fig. 1. Equivalence between type-(l) and type-(2) in the case of 1-qubit messages. Left: 
building a type-(l) encryption oracle by using a type-(2) encryption oracle (and its 
inverse) as a black-box. Right: building a type-(2) encryption oracle by using type-(l) 
encryption and decryption oracles as black-boxes. 


appending each one of the 4 labels of every tree branch in brackets. Clearly, 
16 different definitions of quantum indistinguishability is too much, but luckily 
most of these are unreasonable or unachievable. To start with, we can ignore the 
following: 

Leaves of the form ( Oc...). In the O scenario, the oracle is actually a 
quantum gate inside A’s quantum circuitry. Therefore A has the capability of 
querying the oracle on states which are possibly entangled with other registers 
kept by A itself. 

Leaves of the form (OQn .. .). Again, the oracle is a gate which has no 
internal memory to store and keep the plaintext states sent by A. 

Leaves of the form (...1^2). Relaying is not taken into account in type- 
(2) transformations. In these transformations, to some extent, one of the two 
plaintext registers is always relayed (after having been ‘transformed’ into a ci¬ 
phertext). If the other plaintext was to be relayed as well, this would immediately 
compromise indistinguishability (because one of the two states would be modified 
and the other not, and both of them would be handed over to A). 

Excluding these options leaves us with 7 models, but it is easy to see that 3 
of them are unachievable because of the attack from Theorem 2.7. This is the 
case for (OQY 1) (which is exactly fqIND-qCPA), (CQY 1), and [CcY\). Of the 
remaining 4, notice that ( CQnl ) and (Ccnl) are equivalent to the IND-qCPA 
notion from [BZ13]. The reason is that from A’s perspective, a non-relaying C is 
indistinguishable from a C tracing out (measuring) the plaintext register (other¬ 
wise A and C could communicate faster than light). This measuring operation 
would make the ciphertext collapse into a single (classical) ciphertext. And since 
tracing out the challenge register and applying the type-(l) operator U^ c com¬ 
mute, one can consider (without loss of generality) the case that A himself first 
measures the plaintext register, and then initiates a classical IND query with 
C, therefore recovering a classical definition of IND challenge query 9 . Therefore, 

9 However, we stress that this interpretation is not entirely correct. In fact, one might 
consider composition scenarios where the IND query is just an intermediate step, 
and the plaintext and ciphertext registers are reunited at some later step. In such 
scenarios, not relaying would not be equivalent to measuring. We ignore such con¬ 
siderations in this work, and leave the general case of composable security as an 
interesting open question. 
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using any of ( CQnl ) or (Ccnl) would lead to a weaker notion of quantum in- 
distinguishability. Since we are interested in achieving stronger notions, we will 
hence consider the more challenging scenarios ( CQn2) and ( Ccn2 ). 

This argument also leads to the following interesting observation. Ultimately, 
whether a challenger (or encryption device) performs type-(l) or type-(2) oper¬ 
ations depends on its architecture which we cannot say anything about - we will 
focus on the (... 2) models in order to be on the ‘safe side’, as they lead to secu¬ 
rity notions which are harder to achieve. In order to design a secure encryption 
device, it is good advice to avoid the possibility that it can be accessed in type- 
(2) mode. For such a device, it would be sufficient to provide IND-qCPA security, 
which is weaker and therefore easier to achieve. Clearly, providing guidelines on 
how to construct encryption devices resilient to type-(2) access lies outside the 
scope of this work. 


3.3 qIND 

At this point we are left with only two candidate notions: (Ccn2) and (CQn2). 
From now on we will denote them as ‘quantum indistinguishability of ciphertexts ’ 
(qIND) and ‘general quantum indistinguishability of ciphertexts’ (gqIND) resp., 
and we summarize the resulting challenge phases as follows. 

Quantum IND challenge phase (qIND): A chooses two quantum states 
po,pi having efficient (poly-sized) classical descriptions, and sends to C a chal¬ 
lenge template consisting of these two classical descriptions according to Defini¬ 
tion 2.4. C samples a bit b and replies to A with the state obtained by applying 
the type-(2) operator U^ n (. as defined in (2) to pb . A’s goal is to output b. 

General Quantum IND challenge phase (gqIND): A chooses two quantum 
states po,/?i, and sends them to C. C samples a bit 6, discards (traces out) pi-b, 
and replies to A with the state obtained by applying the type-(2) operator 
as defined in (2) to pb- A’s goal is to output b. 

Using these challenge phases and the notion of a qCPA learning phase, we 
define qIND-qCPA and gqIND-qCPA as follows. 

Definition 3.1 (qIND-qCPA). A secret-key encryption scheme is said to be 
qIND-qCPA secure if the success probability of any quantum probabilistic poly¬ 
nomial time adversary winning the game defined by qCPA learning phases and 
the qIND challenge phase above is at most negligibly close (in n) to 1/2. 

Definition 3.2 (gqIND-qCPA). A secret-key encryption scheme is said to 
be gqIND-qCPA secure if the success probability of any quantum probabilistic 
polynomial time adversary winning the game defined by qCPA learning phases 
and the gqIND challenge phase above is at most negligibly close (in n) to 1/2. 

Since we mainly consider type-(2) transformations from now on, we will over¬ 
load notation and also use U^nck to denote the type-(2) encryption operator. 
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Theorem 3.3 (gqIND-qCPA => qIND-qCPA). Let £ be a gqIND-qCPA 
secure symmetric-key encryption scheme. Then £ is also qIND-qCPA secure. 


The reason is that quantum states admitting an efficient classical description 
(used in qIND) are just a special case of arbitrary quantum plaintext states (used 
in gqIND). Despite this implication, we will mainly focus on the qIND notion in 
the following, and we will use the gqIND notion only as a comparison to other 
existing notions. The main reason for this choice is that in the context of classical 
encryption schemes resistant to superposition quantum access, we believe that 
it is important to not lose focus of what the capabilities of a ‘reasonable’ ad¬ 
versary should be. Namely, recall the following classical IND argument: allowing 
the adversary to send plaintexts to the challenger is equivalent to the fact that 
indistinguishability must hold even for the most favorable case from the adver¬ 
sary’s perspective. Such an argument does not hold anymore quantumly. In fact, 
the ( Q ) model considered in gqIND presents the following issues: 


it allows entanglement between the adversary and the challenger: A could 
prepare a state of the form pab = J 2 |00) + ^ |11), sending pa as a plaintext 
but keeping ps', 

it allows the adversary to create certain non-reproduceable states. For ex¬ 
ample, consider the state \tp) = YYxex ^ffx\ I'D h{ x ))i where h is a collision- 

resistant hash function. A could measure the second register, obtaining a 
random outcome y , and knowing therefore that the remaining state is the su¬ 
perposition of the preimages of y, \if y ) = T, xe x:h(x)= v J\ {x&x L( x )=y \\ 

A could then use \tp y ) as a plaintext in the challenge phase, but note that A 
cannot reproduce \ip y ) for a given value y. 


Both of the above examples are not reasonable in our scenario. Entanglement be¬ 
tween A and C represents a sort of ‘quantum watermarking’ of messages, which 
goes beyond what a meaningful notion of indistinguishability should achieve. 
Knowledge of intermediate, unpredictable measurements also renders A too pow¬ 
erful, because it gives A access to information not available to C itself - e.g., in 
the example above C would not even know the value of y. As it is C who prepares 
the state to be encrypted, it is reasonable to assume that it is C who should know 
these intermediate measurements, not A. In the example above, what A could 
see instead (provided he knows the circuit generating the state, as we assume in 
qIND) is that the plaintext is a mixture P = Y^y^y f° r all possible values of y. 

The possibility offered by gqIND of allowing the adversary to play the IND 
game with arbitrary states is certainly elegant from a theoretical point of view, 
but from the perspective of the quantum security of the kind of schemes we 
are considering, it is too broad in scope. The (c) model used in qIND, on the 
other hand, inherently provides guidelines and reasonable limitations on what a 
quantum adversary can or cannot do. Also, qIND is often easier to deal with: 
notice that in the (c) model, unlike in the ( Q ) model, A always receives back an 
unentangled state from a challenge query. In security reductions, this means that 
we can more easily simulate the challenger, and that we do not have to take care 
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of measures of entanglement when analyzing the properties of quantum states - 
for example, indistinguishability of states can be shown by only resorting to the 
trace norm instead of the more general diamond norm. 

Furthermore, it is important to notice that all our new results in Section 6 are 
unaffected by the choice of either qIND or gqIND. Our impossibility result from 
Theorem 6.3 holds for qIND, and hence also for gqIND because of Theorem 3.3. 
On the other hand, the security proof of Construction 6.6 (Theorem 6.9) is 
given for gqIND, and holds therefore also for qIND. In fact, it remains unclear 
whether a separation between qIND and gqIND can be found at all in the realm 
of classical encryption schemes. We leave this as an interesting open question. 

Finally, we note that the q-IND-CPA-2 indistinguishability notion for secret- 
key encryption of quantum messages introduced by Broadbent and Jeffery [BJ15, 
Appendix B] resembles our gqIND notion, and it is in fact equivalent to it in 
the case that the encryption operation is a symmetric-key classical functionality 
operating in type-(2) mode. 

Theorem 3.4 (gqIND-qCPA <t=> q-IND-CPA-2). Let £ be a symmetric-key 
encryption scheme. Then £ is gqIND-qCPA secure iff £ is q-IND-CPA-2 secure. 

A proof of the above theorem can be found in Appendix C. A generalization 
of q-IND-CPA-2 to arbitrary quantum encryption schemes, together with equiv¬ 
alent notions of quantum semantic security, was given and analized in [ABF + 16]. 
All these security notions are given in the context of ‘fully quantum encryption’, 
in the sense that the encryption schemes considered in [BJ15] and [ABF+16] 
are arbitrary quantum circuits acting natively on quantum data, while in this 
work we consider the quantum security of classical encryption schemes. The fully 
quantum homomorphic schemes which are shown to be secure in [BJ15], and the 
other quantum encryption schemes shown to be secure in [ABF+16], do not fall 
into the category of classical encryption schemes which we are studying here. On 
the other hand, as Theorem 6.9 shows, our Construction 6.6 is the first known 
example of a classical symmetric-key encryption scheme which is secure even 
against these kinds of ‘fully quantum’ security notions. 

4 New Notions of Quantum Semantic Security 

In this section, we initiate the study of suitable definitions of semantic security 
in the quantum world. As in the classical case, we are particularly interested in 
notions that can be proven equivalent to some version of quantum indistinguisha¬ 
bility. So these definitions actually describe the semantics of the equivalent IND 
notions. As in the classical case, we present these notions in the non-uniform 
model of computation. 

Working towards a quantum SEM notion, we restrict our analysis to the SEM 
challenge phase. For the learning phase, we stick to the ‘qCPA learning phase’, as 
in Definition 2.5, where the adversary has access to a quantum encryption oracle. 
In the end, we give a definition for quantum semantic security under quantum 
chosen-plaintext attacks (qSEM-qCPA) which we later prove equivalent to qlND- 
qCPA, thereby adding semantics to our qIND-qCPA notion. 
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4.1 Classical Semantic Security under Quantum CPA 

As a first notion of semantic security in the quantum world, we consider what 
happens if, like in the IND-qCPA notion, we stick to the classical definition 
but we allow for a quantum chosen-plaintext-attack phase. The definition uses 
a SEM-qCPA game that is obtained by combining qCPA learning phases with 
a classical SEM challenge phase as defined in Section 2. As in the classical case, 
M’s success probability is compared to that of a simulator S that plays in a 
reduced game: S gets no learning phase and during the challenge phase it only 
receives the advice h m (x), not the ciphertext. 

Definition 4.1 (SEM-qCPA). A secret-key encryption scheme is called SEM- 
qCPA-secure if for every quantum polynomial-time machine A, there exists a 
quantum polynomial-time machine S such that the challenge templates produced 
by S and A are identically distributed and the success probability of A winning the 
game defined by qCPA learning phases and a SEM challenge phase is negligibly 
close (in n) to the success probability of S winning the reduced game. 

Spoiler. It is easy to see that the SEM-qCPA notion of semantic security is 
equivalent to IND-qCPA, see Theorem 5.1. 

In Appendix D we discuss what happens if one also allows quantum advice 
states in this scenario, and why this option would not add anything meaningful. 


4.2 Quantum Semantic Security 

Here we define quantum semantic security under chosen-plaintext attacks (qSEM- 
qCPA). As in the classical case, we want the definition of semantic security to 
formally capture what we intuitively understand as a strong security notion. 
In the quantum case, there are several choices to be made. We start by giv¬ 
ing our formal definition of quantum semantic security, and justify our choices 
afterwards. 

Quantum SEM (qSEM) challenge phase: A sends to C a challenge template 
consisting of classical decriptions of 

— a quantum circuit G m taking poly (n)-bit classical input and outputting m- 
qubit plaintext states, 

— a quantum circuit h m taking m-qubit plaintexts as input and outputting 
poly (n)-qubit advice states, 

— a quantum circuit f m taking m-qubit plaintexts as input and outputting 
poly (n)-qubit target states. 

The challenger C samples y {0, 1}p°M™) an( j computes two copies of the 
plaintext p y = G m {y). One is used to compute auxiliary information h m (p y ) 
and one to compute the ciphertext UE nCk p v f7| nc ■ C then replies with the pair 
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( Utnc k Py /7| nCfc , h m (py)j ■ »4’s goal is to output fm{Py)- We say that A wins the 
qSEM-qCPA game if no quantum polynomial-time distinguisher can distinguish 
A’s output from the target state f m (Py) with non-negligible advantage. 

In the reduced game, S receives no encryption, but only the auxiliary infor¬ 
mation hm(py) from C. Analogously to the above case, Swins the qSEM-qCPA 
game if no quantum polynomial-time distinguisher can distinguish <S’s output 
from the target state fmfpy) with non-negligible advantage. 

Definition 4.2 (qSEM-qCPA). A secret-key encryption scheme is called qSEM- 
qCPA-secure if for every quantum polynomial-time machine A, there exists a 
quantum polynomial-time machine S such that the challenge templates produced 
by S and A are identically distributed and the success probability of A winning 
the game defined by qCPA learning phases and a qSEM challenge phase is neg¬ 
ligibly close (in n) to the success probability of S winning the reduced game. 

When defining quantum semantic security, we have to deal with several is¬ 
sues: First, we have to define how the plaintext distribution is described. In the 
classical definition, the distribution is produced by a (classical) circuit G m run¬ 
ning on uniform input bits. We take the same approach here, but let G m output 
m-qubit plaintexts. 

The second question is how to define the advice function. While the input 
should be the plaintext quantum state p yi the output could be either quantum 
or classical. We decided to allow quantum advice as it leads to a more general 
model and it includes classical outputs as a special case. In order for the chal¬ 
lenger to compute both the encryption of the plaintext state p y and the advice 
state h m (py) without violation of the no-cloning theorem, we exploit how we 
generate the message state. We simply run S rn twice on the same classical ran¬ 
domness y to generate two copies of the plaintext state p y . Another option would 
have been to allow for entanglement between the plaintext message p v and the 
advice state h m (p y ). Allowing such entanglement would model side-channel in¬ 
formation the attacker could obtain, for instance by learning the content of some 
internal register of the attacked device. However, the resulting notion would not 
be equivalent with qIND-qCPA anymore, because in qIND-qCPA, the challenge 
plaintexts are provided by their classical descriptions and can therefore not be 
entangled with the attacker. 

Third, we have chosen to model the target function f m in the same way 
as the advice function h mi i.e. we allow arbitrary quantum circuits that might 
output quantum states. The reasoning behind allowing quantum output is again 
to use the strongest possible, most general model. Allowing quantum output 
however leads to the problem that, in general, we cannot physically test any¬ 
more if an adversary A outputs exactly the result of the target function f m (Py)- 
One option would be to require A’s output to be close to f m {py) in terms of 
their trace distance. But two quantum states can be quantum-polynomial-time 
indistinguishable even if their trace distance is large 10 . Since we are only inter- 

10 Think of two different classical ciphertexts which are encrypted using a quantum- 
computationally secure encryption scheme. Then, the ciphertext states are orthog- 
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ested in computational security notions, we solve this problem by requiring QPT 
indistinguishability as success condition for winning the SEM game. 

Spoiler. Our qSEM-qCPA notion of semantic security is equivalent to qlND- 
qCPA, and unachievable for those schemes which leave the size of the message 
unchanged (like most block ciphers), see Section 6.1. 

5 Relations 

In this section we show relations between our new notions of indistinguishability 
and semantic security in the quantum world. It is already known [GM84,Gol04] 
that classically, IND-CPA and semantic security are equivalent. Our goal is to 
show a similar equivalence for our new notions, plus to show a hierarchy of 
equivalent security notions. Our results are summarized in Figure 2. 


f Classical notions ) ( Quantum notions 

Semantic Security SEM-CPA SEM-qCPA qSEM-qCPA 

Z ^ z ^ $ 

indistinguishability IND-CPA IND-qCPA qIND-qCPA 


weaker 


) 


"Fully quantum" notions 
(q-IND-CPA, q-IND-CPA-2, 
L q-SEM-CPA, etc...) 



z 

gqIND-qCPA 


Unachievable notions 
(fq IND-qCPA) 


stronger 


Fig. 2. The relations between notions of indistinguishability and semantic security in 
the quantum world (previously known results in gray.) 


We start by proving equivalence between IND-qCPA and SEM-qCPA. 

Theorem 5.1 (IND-qCPA <t=> SEM-qCPA). Let £ be a symmetric-key en¬ 
cryption scheme. Then £ is IND-qCPA secure iff £ is SEM-qCPA secure. 

We split the proof of Theorem 5.1 into two propositions - one per direc¬ 
tion. They closely follow the proofs for the classical case (see [Gol04, Proof of 
Th. 5.4.11]), we recall them as they work as guidelines for the following proofs. 

Proposition 5.2 (IND-qCPA => SEM-qCPA). 

Proposition 5.3 (SEM-qCPA => IND-qCPA). 

Proof (of Proposition 5.2 - Sketch.). The idea of the proof is to hand M’s circuit 
as non-uniform advice to the simulator S. S runs M’s circuit and impersonates 
the challenger C by generating a new key and answering all of M’s queries using 
this key. When it comes to the challenge query, S encrypts the 1... 1 string of 
the same length as the original message. It follows from the indistinguishability 

onal (and hence their trace distance is maximal), but they are computationally 
indistinguishable. 
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of encryptions that the adversary’s success probability in this game must be 
negligibly close to its success probability in the real semantic-security game, 
which concludes the proof. The only difference in the -qCPA case is that A and 
S are quantum circuits, and that S has to emulate the quantum encryption 
oracle instead of a classical one. □ 

Proof (of Proposition 5.3). We recall here the full proof as it is short. Assume 
there exists an efficient distinguisher A against the IND-qCPA security of £. 
Then we show how to construct an oracle machine A4 a that has access to 
A and breaks the SEM-qCPA security of the scheme. M A runs A, emulat¬ 
ing the quantum encryption oracle by simply forwarding all the qCPA queries 
to its own oracle. As A executes an IND challenge query on m-bit messages 
(xq,Xi),A4 a produces the SEM template (G m ,h m , f m ) with G m describing the 
uniform distribution over {xq,Xi } , h m = 1" (or any other function such that 
hm(xo) = hm(x i)), and f m a function that fulfills f m (x o) = 0 and f m {%i) = 1 
(i.e., the distinguishing function). Then A4 a performs a SEM challenge query 
with this template, and given challenge ciphertext c, uses it to answer M’s query. 
If, at that point, A performs more qCPA queries, M A answers again by for¬ 
warding all these queries to its own oracle. Finally, M A outputs M’s output. As 
A distinguishes encryptions of xq and x\ with non-negligible success probability, 
A will return the correct value of f m with recognizably higher probability than 
guessing. As h m is independent of the encrypted message, no simulator can do 
better than guessing. Hence, M A has a non-negligible advantage to output the 
right value of f m . □ 

Next, we show equivalence between qIND-qCPA and qSEM-qCPA. 

Theorem 5.4. [qIND-qCPA qSEM-qCPA] Let £ be a symmetric-key encryp¬ 
tion scheme. Then £ is qIND-qCPA secure iff £ is qSEM-qCPA secure. 

Again, we split the proof of Theorem 5.4 into two propositions. 
Proposition 5.5. [qIND-qCPA => qSEM-qCPA] 

Proposition 5.6. [qSEM-qCPA => qIND-qCPA] 

Proof (of Proposition 5.5 - Sketch.). The proof follows that of Proposition 5.2, 
with some careful observations. Since A is a QPT adversary against the qSEM- 
qCPA game, M’s circuit has a short classical representation f. So S gets £ as non- 
uniform advice and hence can implement and run A. The simulator S simulates 
C for A by generating a new key and answering all of M’s qCPA queries. When 
it comes to the challenge query, M produces a qSEM template, which S forwards 
to the real C. Then S forwards C’s reply, plus a bogus encrypted state (e.g., 
U Encfc |1... 1)), to M. If at this point M outputs a state <p which can be efficiently 
distinguished from the correct f m (Py) computed by the real C, we would have 
an efficient distinguisher against the qIND-qCPA security of the scheme. Hence, 
M’s (and therefore also 5’s) output must be indistinguishable from f m {p y ) for 
any QPT distinguisher, which concludes the proof. □ 
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Proof (of Proposition 5.6). This is also similar to the proof of Proposition 5.3. 
Given an efficient distinguisher A for the qIND-qCPA game, our adversary for 
the qSEM-qCPA game is an oracle machine AA a running A and acting as fol¬ 
lows. Concerning A’s qCPA queries, as usual M A just forwards everything to the 
qSEM-qCPA challenger C. When A performs a challenge qIND query by send¬ 
ing the classical descriptions of two states po and yq, M A prepares the qSEM 
template (G m ,/i m ,/ m ), with G m outputing tpo for half of the possible y values 
and ipi for the other half, h m (p y ) = l n , and f m the identity map f m (Py) = Py 
Then A4 a performs a qSEM challenge query with this template. Given challenge 
ciphertext state UE n c fc PbC^ nCk (for b £ {0,1}), he forwards it as an answer to 
A’s challenge query. As A distinguishes UEnc k po U^ nc from UE nCk Pi U\ nCk with 
non-negligible success probability, A returns the correct value of b with non- 
negligible advantage over guessing. Then M A , having recorded a copy of the 
classical descriptions of po and pi, is able to compute the state f m (pb ) exactly, 
and consequently win the qSEM-qCPA game with non-negligible advantage. As 
h m generates the same advice state h m (p y ) = V 1 independently of the encrypted 
message, no simulator can do better than guessing the plaintext. This concludes 
the proof. □ 


Finally, we show the separation result between the two classes of security we 
have identified (we show it between IND-qCPA and qIND-qCPA). This shows 
that qIND-qCPA (and equivalently qSEM-qCPA) is a strictly stronger notion 
than IND-qCPA (which is equivalent to SEM-qCPA). 


Theorem 5.7 (IND-qCPA =£> qIND-qCPA). There exists a symmetric-key 
encryption scheme £ which is IND-qCPA secure but not qIND-qCPA secure. 

Proof (of Theorem 5.7). The scheme we use as a counterexample is the one 
from [Gol04] (Construction 5.3.9). It has been proven in [BZ13] that this scheme 
is IND-qCPA secure if the used PRF is post-quantum secure. We exhibit a 
distinguisher A which breaks the qIND-qCPA security of this scheme with high 
probability. For ease of notation we restrict to the case of single-bit messages 0 
and 1. A will simply choose as challenge states: |^o) = H |0) = ^ |0) + ^ 11), 
and \p\) = H |1) = |0) — |1). When the challenger C applies the type-2 

transformation to either of these two states, it is easy to see that in any case 
the state is left unchanged. This is because UEnc k just applies a permutation in 
the space of the basis elements, but |<^?o) and \pi) have the same amplitudes on 
all their components, except for the sign. As these two states are orthogonal, 
they can be reliably distinguished by the adversary A who can then win the 
qIND-qCPA game with probability 1. □ 

The above proof can be generalized to message states of arbitrary length, as 
our impossibility result in Section 6.1 shows. 
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6 Impossibility and Achievability Results 

In this section we show that qIND-qCPA (and equivalently qSEM-qCPA) is 
impossible to achieve for encryption schemes which do not expand the mes¬ 
sage (such as stream ciphers and many block ciphers, without considering the 
randomness part in the ciphertext). Therefore, for a scheme to be secure ac¬ 
cording to this new definition, it is necessary (but not sufficient) to increase the 
message size during the encryption. Interestingly, such an increase happens in 
most public-key post-quantum encryption schemes, like for example LWE based 
schemes [LP11] or the McEliece scheme [McE78]. 

Then we propose a construction of a qIND-qCPA-secure symmetric-key en¬ 
cryption scheme. Our construction works for any (quantum-secure) pseudoran¬ 
dom permutation (PRP). Given that block ciphers are usually modelled as PRPs, 
it seems reasonable to assume that we can obtain a secure scheme when using 
block ciphers with sufficiently large key and block size. Hence, our construc¬ 
tion can be used to patch existing schemes, or as a guideline in the design of 
quantum-secure encryption schemes from block ciphers. 


6.1 Impossibility Result 

First we formally define what it means for a cipher to expand or keep con¬ 
stant the message size by defining the core function of a (secret-key) encryption 
scheme. Intuitively, the definition splits the ciphertext into the randomness and 
a part carrying the message-dependent information. This definition covers most 
encryption schemes in the literature. 

Definition 6.1 (Core function). Let (Gen, Enc, Dec) be a secret-key encryp¬ 
tion scheme. We call the function f : K. x {0,1} T x A4 —> y the core function of 
the encryption scheme if, for some r £ N: 

— for all k £ K. and x £ M, Encfc(;r) can be written as (r, f(k,r,x)), where 
r £ {0, l} r is independent of the message; and 

— there exists a function f such that for all k £ K.,r £ {0, l} T ,ir £ A4, we 
have: f'(k, r, f(k, x, r)) = x. 

For example, in case of Construction 5.3.9 from [Gol04] (where Enc k (x ) is 
defined as (r, F k (r)®x) for a PRF F) the core function is f(k,r,x) = F k (r)®x, 
with f'(k, r,z) = z® F k (r). 

Definition 6.2 (Quasi length-preserving encryption). We call a secret- 
key encryption scheme with core function f quasi-length-preserving if 

Vx £ M,r £ {0,1} T , k £ K, => | f(k, x,r)\ = |a;|, 

i.e., if the output of the core function has the same bit length as the message. 
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Continuing the above example, Construction 5.3.9 from [Gol04] is quasi- 
length-preserving. 

The crucial observation is the following: For a quasi-length-preserving en¬ 
cryption scheme, the space of possible input and (core function) output bitstrings 
(with respect to plaintext and ciphertext) coincide, therefore these ciphers act 
as permutations on this space. This means that if we start with an input state 
which is a superposition of all the possible basis states, all of them with the 
same amplitude, this state will be unchanged by the unitary type-( 2 ) encryption 
operation (because it will just ‘shuffle’ in the basis-state space amplitudes which 
are exactly the same). 

Theorem 6.3 (Impossibility Result). No quasi-length-preserving secret-key 
encryption scheme can he qIND secure. 

Proof. Let (Gen, Enc, Dec) be a quasi-length-preserving scheme. We show an 
attack that is a generalization of the distinguishing attack in Theorem 5.7. 

1 . for m-bit message strings, the distinguisher V sets the two plaintext states 
for the qIND- game to be: |</?o) = H |0 m ), \ip\) = H |l m ), where H is the m- 
fold tensor Hadamard transformation. Notice that both these states admit 
efficient classical representations, and are thus allowed in the qIND game. 

2. The challenger flips a random bit b and returns \ip) = UEnc k \pb)- 

3. T> applies H to the core-function part of the ciphertext | if) and measures it 
in the computational basis. V outputs 0 if and only if the outcome is 0 m , 
and outputs 1 otherwise. 

As already observed, applying UEnc k to H |0 m ) leaves the state untouched: 
since the encryption oracle merely performs a permutation in the basis space, 
and since |v?o) is a superposition of every basis element with the same amplitude, 
it follows that whenever b is equal to 0 , the ciphertext state will be unchanged. 
In this case, after applying the self-inverse transformation H again, T> obtains 
measurement outcome 0 m with probability 1. On the other hand, if b = 1, 
\tpi) = 5^72 1 I v) where a-b denotes the bitwise inner product between 

a and b. Hence, \<p\) is a superposition of every basis element where (depending 
on the parity of y ) half of the elements have a positive amplitude and the other 
half have a negative one, but all of them will be equal in absolute value. Applying 
UEnc,k to this state, results in ]F (/ (—l) rl |EnCfc(y)). After re-applying H, 
the amplitude of the basis state | 0 m ) becomes l) y ' im+Enc '=G )' 0 " 1 which is 

easily calculated to be 0. Hence, the above attack gives V a way of perfectly 
distinguishing between encryptions of the two plaintext states. □ 

Notice that the above attack also works if A is allowed to send quantum 
states to C directly. Therefore, it also holds for the gqIND notion of quantum in- 
distinguishability described in Section 3. In particular, the above theorem shows 
that [Gol04, Construction 5.3.9], which in [BZ13] was shown to be IND-qCPA if 
the used PRF is quantum secure, does not fulfill qIND, nor gqIND. 
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This attack is a consequence of the well-known fact that, in order to perfectly 
(information-theoretically) encrypt a single quantum bit, two bits of classical in¬ 
formation are needed: one to hide the basis bit, and one to hide the phase (i.e. 
the signs of the amplitudes). The fact that we are restricted to quantum opera¬ 
tions of the form UE nCk - that is, quantum instantiations of classical encryptions 
- means that we cannot afford to hide the phase as well, and this restriction 
allows for an easy distinguishing procedure. 

6.2 Secure Construction 

Here we propose a construction of a qIND-qCPA secure symmetric-key encryp¬ 
tion scheme from any family of quantum-secure pseudorandom permutations 
(see Appendix A for formal definitions). 

Construction 6.4. For security parameter n, letm = poly(n) andr = poly(n). 
Consider an efficient family of permutations n m+T = (X, 77,77 _1 ) with key space 
K-n that operates on bit strings of length m + r, and consider a plaintext message 
space A4 = {0, l} m , key space K, = ICn, and ciphertext space C = {0, l} m+T . 
The construction is given by the following algorithms: 

Key generation algorithm k <— Gen(l ra ): on input of security parameter n, 
the key generation algorithm runs k <— I(l m+r ) and returns secret key k. 
Encryption algorithm y i — Enc/c(a;): on input of message x £ M and key 

k £ 1C, the encryption algorithm samples a r-bit string r <— {0,1} T uni¬ 
formly at random, and outputs y = 7Tfc(a:||r) (|| denotes string concatenation). 
Decryption algorithm x <— Dec k{y)' on input of ciphertext y £ C and key 
k £ 1C, the decryption algorithm first runs x' = itf (y), and then returns the 
first m bits of x'. 

The soundness of the construction can be easily checked. The security is 
stated in the following theorem. 

Theorem 6.5 (qIND-qCPA security of Construction 6.4). If 77 m+T is a 
family of quantum-secure pseudorandom permutations (qPRP), then the encryp¬ 
tion scheme (Gen, Enc, Dec) defined in Construction 6.f is qIND-qCPA secure. 

In the next section, we prove the security of a more powerful scheme which 
includes the above theorem as special case of a single message block. 

6.3 Length Extension 

Construction 6.4 has the drawback that the message length is upper bounded 
by the input length of the qPRP (minus the bit length of the randomness). 
However, like in the case of block ciphers, we can overcome this issue with a 
mode of operation. More specifically, we can handle arbitrary message lengths 
by splitting the message into ?n-bit blocks and applying the encryption algorithm 
of Construction 6.4 independently to each message block (using the same key 
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but new randomness for each block). This procedure is akin to a ‘randomized 
ECB mode’, in the sense that each message block is processed separately, like in 
the ECB (Electronic Code Book) mode, but in our case the underlying cipher 
is inherently randomized (since we use fresh randomness for each block), so we 
can still achieve qCPA security. For simplicity we consider only message lengths 
which are multiples of to. The construction can be generalized to arbitrary mes¬ 
sage lengths using standard padding techniques. Moreover, the randomness for 
every block can be generated efficiently using a random seed and a post-quantum 
secure PRNG. 

Construction 6 . 6 . For security parameter n, letm = poly(n) andr = poly(n). 
Consider an efficient family of permutations n m+T = (X, 77,77 _1 ) with key space 
K-n that operates on bit strings of length m + r, and consider a plaintext message 
space Ai = {0, l}^ m for p G N, p = polyfn), key space 1C = ICn, and ciphertext 
space C = {0, The construction is given by the following algorithms: 

Key generation algorithm k <— Gen(l ra ): on input of security parameter n, 
the key generation algorithm runs k <— X(l m+T ) and returns secret key k. 
Encryption algorithm y <— Enc/c(;r): on input of message x € M and key 
k G 1C, the encryption algorithm splits x into p m-bit blocks x \,..., x^. For 

$ 

each block X{, the encryption algorithm samples a new r-bit string r., <— 
{ 0 , 1 } T uniformly at random, and outputs yi = TTk{xi\\r.i) ( 1 | denotes string 
concatenation). The ciphertext is y = y i|| ... \\y tl . 

Decryption algorithm x <— Dec k{y)' on input of ciphertext y £ C and key 
k G 1C, the decryption algorithm first splits y into p m+r-bit blocks y\,... ,y^. 
Then, it runs x\ = (tt f 1 {yi)) m for each block (where ( s) m refers to taking 
the first to bits of bit string s). It returns the plaintext x' = x\,... ,x r . 

The soundness of the construction can be checked easily. For the security, we 
observe that splitting a /Ltm-qubit plaintext state into p blocks of m-qubits can 
introduce entanglement between the blocks. We will address this issue through 
the following technical lemma. 

Lemma 6.7. Let £ be the quantum channel that takes as input an arbitrary m- 
qubit state, attaches another r qubits in state | 0 ), and then applies a permutation 
picked uniformly at random from S^m+r to the computational basis space. Let T 
be the constant channel which maps any m-qubit state to the totally mixed state 
on in + t qubits. Then, \\£ — T||o < 2 -T+2 . 

Proof. In order to consider the fact that the ?n-qubit input state might be en¬ 
tangled with something else, we have to start with a purification of such a state. 
Formally, this is a bipartite pure 2m-qubit state \<f>) X y = 12xy a x,y l 2 ')^ \v)y 
whose ?n-qubit Y register is input into the channel and gets transformed into 

id x 0 £(\<j))(<j)\) = trn IV’XV’I where 

1 ^)= Ux,y\x) x \n{y\\0)) c \Tr) n ■ 

x€ {0,1} 771 ,2/G {0,1} m ,7rG S 2 m + T 
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By definition of the diamond-norm, we have to show that for any 2?n-qubit state 
p, we have that ||(id <g> £)(p) — ( id, (g> T){p )|| tr < 2~ T+2 . Due to the convexity 
of the trace distance, we may assume that p = | 0 )( 0 | is pure with | <j>) XY = 
J2x,y a x,y I x )a I y)v Hence > we obtain 

(id x ® £) (10X01) = tin \ip)(i>\ 

= a x ,y0^y\x){x'\ x <g> |tt( 2/||0)) <7r(j/||0)| c 

x,x f ,y,y' ,tt 

= a ^y^y\ x )^\x ®Y k( 2 /ll 0 )) M^PIc 

x,x',y 7T 

+ Y a x,y^x\y’\ x ){ x '\ X ® Yj l 7r (yll 0 )) < 7r (2/ / |l 0 )lc 

x,x' ,y^y' 7 T 

= Y a x,y®^y\ x )( x '\x ® ^7 Y \ z )( z \c 

x,x' ,y z 

+ Y a *,ya^w\ x )( x '\x ® 2m+T / 2m+r _ x) 5Z I^X^'lc 

x,x',y^y’ ^ ' zj^z’ 

= try |0)(0| ( 8 > TC + XA'C 
= (ic?A ® T)(10X01) + Xxc , 
where we defined the “difference state” 

Xxc ■= Y a x,y°^y\ x )( x '\x ® 2m+ * _ H k)(X| c • 

x,x',y^y' ' z^z' 

In order to conclude, it remains to show that ||xAc||tr < 2 _T+2 . For the C- 
register \C = 2 ™+t (2™+-*-i) Y z ^z' \ z )( z '\c one can ver ify that the 2 m+T eigen¬ 
values are (c • (2 m+T — 1), —c, — c,..., —c) where c := 2 m+T ^ 2 L+ T _ 1 ) • Hence, the 
trace norm (which is the sum of the absolute eigenvalues) is exactly c- 2(2 m+T — 
1 ) = 2~ m ~ T + 1 . 

For the X-register, we split xa into two parts xa = £x — Ca where 

^A • ^ ' \X)(X | 'y ' Hx,y^x r ,y' 5 

x,x' y,y' 

Ca ;= ^ 1 \ x )( x I y 1 a x,y a x',y > 
x,x' y 

and use the triangle inequality for the trace norm 11 Xa 11tr = ||£a — ^Arlltr < 

W\\\tr = 

the trace- 
! m by the 

Cauchy-Schwarz inequality and the normalization of the a. x ,y s. Furthermore, we 
note that £' x is exactly the reduced density matrix of \4>) X y after tracing out 


II ^a || tr + 11 Ca 11 tr * Observe that || 6 dltr = j| E x ^*x, 
|| |s)(s|||tr for the (non-normalized) vector |s) := Y x % 

norm ||^||tr = | <« | «) | = EJE ,^| 2 < Ex E 


x,y a x,y 


X ) Ex', 3 /' a x\y' 
x ,y \x). Hence, 

a™! 2 • 2 m = 2 
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the Y register. Hence, £' x is positive semi-definite and its trace norm is equal to 
its trace which is 1. In summary, we have shown that 


llxxclltr = llxxlltr • ||xd|tr < (\\Sx - &||tr) ' 2~ m ^ +1 

< (UxWtr + ||&||tr) • 2~ m ~ T + 1 < (2 m + 1) • 2 _m_r+1 < 2 _T+2 . 


□ 


If we consider a slightly different encryption channel £ T which still maps m 
qubits tom + r qubits but where the permutation n is not picked uniformly 
from S 2 m+r, but instead we are guaranteed that a certain set T C {0, l} m+T 
of outputs never occurs, we can consider such permutations w.l.o.g. as picked 
uniformly at random from a smaller set S 2 ™+t_\t\ - In this setting, we are inter¬ 
ested in the distance of the encryption operation £ T from the slightly different 
constant channel T T which maps all inputs to the (m + r)-qubit state which is 
completely mixed on the smaller set {0, l} m + T \ T. By modifying slightly the 
proof of Lemma 6.7 we get the following. 


Corollary 6.8. Let £ T and T T be the channels defined above. Then, 


\\£ t 


r T ||o < 


2 T 


4 

|T|/2 m ' 


( 3 ) 


We can now prove the security of Construction 6.6. We give the proof for 
gqIND-qCPA, and then qIND-qCPA follows immediately from Theorem 3.3. 


Theorem 6.9 (gqIND-qCPA security of Construction 6.6). If n m+T is a 
family of quantum-secure pseudorandom permutations (qPRP), then the encryp¬ 
tion scheme (Gen, Enc, Dec) defined in Construction 6.6 is gqIND-qCPA secure. 

Proof. We want to show that no QPT distinguisher T> can win the gqIND-qCPA 
game with probability substantially better than guessing. We first transform the 
game through a short game-hopping sequence into an indistinguishable game for 
which we can bound the success probability of any such T>. 

Game 0. This is the original gqIND-qCPA game. 

Game 1. This is like Game 0, but instead of using a permutation drawn from 
the qPRP family II m+T , a random permutation 7r £ S 2 m+T is chosen from the 
set of all permutations over {0, l} m+T . The difference in the success probability 
of T> winning one or the other of these two games is negligible. Otherwise, we 
could use T> to distinguish a random permutation drawn from n m+T from one 
drawn from S 2 ™+t . This would contradict the assumption that 77 m + r is a qPRP. 

Game 2. This is like Game 1, but V is guaranteed that the randomness used for 
each encryption query are /u new random r-bit strings that were not used before. 
In other words, the challenger keeps track of all random values used so far and 
excludes those when sampling a new randomness. Since in Game 1 the same 
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randomness is sampled twice only with negligible probability, the probability of 
winning these two games differs by at most a negligible amount. 

Game 3. This is like Game 2 except that the answer to each query asked by V 
also contains the randomness rq,..., used by the challenger for answering that 
query. Clearly, 2?’s probability of winning this game is at least the probability 
of winning Game 2. 

When the modified gqIND game 3 starts, T> chooses two different plaintext 
states and sends them to the challenger, who will then choose one of them and 
send it back encrypted with fresh randomness fq,..., Let Q denote the set of 
q ■ fj, = poly{n) query values used during the previous qCPA-phase. We have to 
consider that from this phase, V knows a set T C {0, l} rra+T of ’taken’ outputs, 
i.e. he knows that any 7r(:r||fi) will not take one of these values as fj has not been 
used before. So, from the adversary’s point of view, tt is a permutation randomly 
chosen from S' , the set of those permutations over {0, l} m+T that fix these \T\ 
values. In order to simplify the proof, we will consider a very conservative bound 
where |T| = q ■ p ■ 2 m , and the size of S 1 is |S"| = (2 m+r — |T|)! (notice that 
this bound is very conservative because it assumes that the adversary learns 2 m 
different (classical) ciphertexts for every of the q ■ /i ‘taken’ randomnesses, but 
as we will see, this knowledge will be still insufficient to win the game.) 

By construction, the encryption of a pm- qubit (possibly mixed) state a is 
performed in p separate blocks of m qubits each. We are guaranteed that fresh 
randomness is used in each block, hence it follows from Corollary 6.8 that Encfc(tr) 
is negligibly close to the ciphertext state where the first to+t qubits are replaced 
with the completely mixed state (by noting that |T|/2 m = q ■ p is polynomial 
in n in our case, and hence the right-hand side of (3) is negligible.). Another 
application of Corollary 6.8 gives negligible closeness to the ciphertext state 
where the first 2(m + r) qubits are replaced with the completely mixed state etc. 
After p applications of Corollary 6.8, we have shown that Encfc(cr) is negligibly 
close to the totally mixed state on p(m + r) qubits. As this argument can be 
made for any cleartext state a, we have shown that from 2?’s point of view, all 
encrypted states are negligibly close to the totally mixed state and therefore 
cannot be distinguished. □ 

Corollary 6.10 (qIND-qCPA security of Construction 6.6). If II m+T is a 
family of quantum-secure pseudorandom permutations (qPRP), then the encryp¬ 
tion scheme (Gen, Enc, Dec) defined in Construction 6.6 is qIND-qCPA secure. 


7 Conclusions and Further Directions 

We believe that many of the current security notions used in different areas of 
cryptography are unsatisfying in case quantum computers become reality. In this 
respect, our work contributes to a better understanding of which properties are 
important for the long-term security of modern cryptographic primitives. Our 
work leads to many interesting follow-up questions. 
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There are many other directions to investigate, once the basic framework 
of ‘indistinguishability versus semantic security’ presented in this work is com¬ 
pleted. A natural direction is to look at quantum CCA1 security in this frame¬ 
work. This topic was also initiated in [BZ13] relative to the IND-qCPA model; 
it would be interesting to extend the definition of CCA1 security to stronger 
notions obtained by starting from our qIND-qCPA model. 

In Section 3.3 we left open the interesting question on whether it is possible 
at all to find a separating example between the notions of qIND and gqIND. 
That is, find a symmetric-key encryption scheme £ which is qIND-secure, but 
not gqIND-secure. Finding such an example (or provable lack of) would shed 
further light on the security model we consider. 

We have so far not taken into account models where the adversary is allowed 
to initialize the ancilla qubits used in the encryption operation used by the 
challenger (i.e. the \y) in | x,y) i-)- \x,y® Encfc(x))). These models lead to the 
study of quantum fault attacks , because they model cases where the adversary 
is able to ‘watermark’ or tamper with part of the challenger’s internal memory. 
Moreover, we have not considered superpositions of keys or randomness: these 
lead to a quantum study of weak-key and bad-randomness models. The authors 
of this paper are not aware of any results in these directions. 

One outstanding open problem is to define CCA2 (adaptive chosen ciphertext 
attack) security in the quantum world. The problem is that in the CCA2 game 
the challenger has to ensure that the attacker does not ask for a decryption of 
the actual challenge ciphertext leading to a trivial break. While this is easily 
implemented in the classical world, it raises several issues in the quantum world. 
What does it mean for a ciphertext to be different from the challenge ciphertext? 
And, more importantly: How can the challenger check? There might be several 
reasonable ways to solve the first issue but, as long as the queries are not classical, 
we are not aware of any possibility to solve the second issue without disturbing 
the challenge ciphertext and the query states. 

Our secure construction shows how to turn block ciphers into qIND-qCPA 
secure schemes. An interesting research question is whether there exists a general 
patch transforming an IND-qCPA secure scheme into a qIND-qCPA secure one. 
It is also important to study how our transformation can be applied to modes 
of operation different from Construction 6.6. 
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A Formal Definitons 


Here we give some formal definitions that we omitted in the main body as they 
are somewhat standard. We include them for the paper to be self-contained. We 
begin with detailed formal definitions for SEM-CPA and IND-CPA. Afterwards 
we define quantum-secure pseudorandom permutations. 

SEM-CPA and IND-CPA. The following definitions are more precise than 
the ones we use in the main text. They are included here for reference and were 
taken from Goldreich ([Gol04]). 

Definition A.l (SEM-CPA). A secret-key encryption scheme, (Gen, Enc, Dec), 
is said to be semantically secure under chosen plaintext attacks iff for every pair 
of probabilistic polynomial-time oracle machines A\ and A 2 , there exists a pair 
of probabilistic polynomial-time algorithms A 1 and A' 2 such that the following 
two conditions hold: 


1. For every positive polynomial p{-), and all sufficiently large n and z £ 
{0,1 }P°^ n ) it holds that 


Pr 


< 


v = 


Pr 


fm{x) where 

k <— Gen(l") 

<— Ai nCk (l n ,z) 

c <— (Encfc(x), h m (x)),where x <— S m {U poly ( n )) 
v <— Al nCk (a, c ) 
v = f m (x) where 


((Sm,h m ,f m ),cr) <— A[(l n ,z) 



Rm(Upoly(n) ) 

A' 2 {(J,f x \h m {x)) 


1 

P(n) 


(4) 


Recall that (S m , h m , f m ) is a triplet of circuits consisting of a poly-sized 
circuit S m specifying a distribution over m-bit long plaintexts, a circuit com¬ 
puting an advise function h m : {0, l} m —> {0,1}*, and a circuit computing 
a target function f m : {0, l} m —> {0,1}*, and that x is a sample from the 
distribution induced by S m . 

2. For every n and z, the first elements (i.e., the (S m ,h m , f m ) part) in the 
random variables A)(l",z) and A 1 nCGen<1 " ) (1™, 2;) are identically distributed. 


Definition A.2 (IND-CPA). A secret-key encryption scheme, (Gen, Enc, Dec), 
is said to have indistinguishable encryptions under chosen plaintext attacks iff 
for every pair of probabilistic polynomial-time oracle machines, A\ and A 2 , for 
every positive polynomial pf), and all sufficiently large n and z £ {0,1 Jp° l y( n ) n 
holds that 


W _ (2) 

yn.z r'n.z 


1 

p{n) 
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where 


(i) d £f 

n, 


Pr 


v = i where 

k i — Gen(l n ) 

((x 1 ,x 2 ),a) <— A\ nCk {l n , z) 
c i — Enc k {xi) 
v i — A 2 nCk ( a , c) 


where \x\ \ = \x 2 \. 


Please note that there are no restrictions regarding A’s oracle queries, i.e. 
A\ as well as A 2 are allowed to ask for encryptions of x± and x 2 . 

Quantum PRP. We now define quantum-secure pseudorandom permutation 
families. We restrict ourselves to efficient permutation families that have as do¬ 
main binary strings of a certain length as these are the only ones we are using 
in this work. Let S 2 ™ be the set of all permutations of ro-bit strings. 


Definition A. 3 (Efficient Permutation Family). Let n £ N, we call a fam¬ 
ily of permutations II n = { 7 r*. : {0, l} n —> {0,1}"} C S 2 n with key space /C 77 and 
domain {0,1}" efficient if there exists a triple of probabilistic polynomial-time 
algorithms (I, 77, 77 _1 ) such that: 

1. The initialization algorithm I(l n ) takes as input the parameter n and outputs 

a random function key k ICn from the key space. 

2. The function IT takes as input a function key k and a domain element x and 
outputs TTk(x). 

3. The function 77 -1 takes as input a function key k and a domain element x 
and outputs 


$ 

We sometimes abuse notation and write 7r instead of 7and 7r <— 77 n for the 
process of running I(l n ). A quantum-secure pseudorandom permutation family 
(qPRP) is an efficient permutation family that achieves the pseudorandomness 
property in presence of a quantum adversary that can query the permutation 7r 
with superpositions of domain elements x. It is defined as follows: 

Definition A.4 (Quantum PRP). A n efficient permutation family 77 n is said 
to be a quantum-secure pseudorandom permutation family if for every quantum 
polynomial-time oracle machine A, it holds that 


Pr 


-n n 


A |7r> (l”) = 1 



A M (r) = 1 


< negl(n) , 


where the superscript |-) denotes oracle access in superposition. 


Note that the permutations are chosen by the game. Hence, keys are classical. 

A permutation family 77 n is called a strong quantum PRP , if a random mem¬ 
ber of II n is computationally indistinguishable from a uniform permutation even 
if the attacker A can query (in superposition) both the permutation n and the 
inverse permutation n^ 1 . Notice that the construction in Theorem 6.5 does not 
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require strong quantum PRPs. The reason is that, even if we are considering 
type-(2) transformations (which could be used to compute 7r _1 ), these transfor¬ 
mations are implemented by the challenger, because we are in the (C) model. 
And since we only consider CPA scenarios here, and not CCA, the adversary is 
never granted access to the decryption oracle. Hence, 7r _1 is not needed by the 
reduction. 

B Example Encryption Scheme 

In this section we recall Construction 5.3.9 from [Gol04] which achieves IND- 
CPA security starting from a pseudorandom function family. 

Construction B.l (]Gol04, Construction 5.3.9]). Let n £ N be the security 
parameter, T,m £ poly(n), F = { F' k : {0, l} r —> {0, l} m | k £ Kd) he a pseudo¬ 
random function family with key space K.. Then the following triple of algorithms 
form a symmetric-key encryption scheme with message space {0, l} m : 

Gen(l"): On input of the security parameter, returns a uniformly random key 
k K, for the PRF F as secret key. 

Enc(a;, k ): On input of message x and key k returns cipher text c = (r, c') where 

randomness r <— {0, l} r is a uniformly random r bit string and d is com¬ 
puted as 

d <— F k (r) ® x. 

Dec(c, k ): On input of cipher text c = (r, d) and key k returns plain text 

x <— d ® F fc (r). 

C Proof of Theorem 3.4 

In this section we explain how the q-IND-CPA-2 indistinguishability notion for 
secret-key encryption of quantum messages introduced by Broadbent and Jef¬ 
fery [BJ15, Appendix B] is equivalent to our gqIND-qCPA notion in the case 
that the encryption operation is a symmetric-key classical functionality operat¬ 
ing in type-(2) mode. In [BJ15], the authors study the definition of quantum 
indistinguishability relative to the case of quantum fully homomorphic encryp¬ 
tion. The general definition of quantum symmetric-key encryption scheme has 
been formalized in [ABF+16] in the following way. 

Definition C.l. A quantum symmetric-key encryption scheme (or qSKE) is a 
triple of quantum circuit families of polynomial depth: 

1. (key generation) Q.Gen : l n <—> k £ K, 

2. (encryption) Q.Enc : K. x X —>• y 

3. (decryption) Q. Dec : K. x y —> X 
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such that || Q. Dec o Q.Enc — I* ||o < negl{n) for all k £ Supp (Q.Gen(l n )), where 
K, is the key space, X is the plainstate space, y is the cipherstate space, I is 
the identity operator, and Q.Dec, Q.Enc must be intended acting with the same 
(classical) key k. 

Then the authors of [ABF+16] define a notion of quantum indistinguishability 
for quantum symmetric-key encryption schemes (which they call IND, but which 
we relabel here as q-IND-qse for ease of reading) as follows. 

Definition C.2 (q-IND-qse). A qSKE (Q.Gen, Q.Enc, Q.Dec) has indistin¬ 
guishable encryptions (or is q-IND-qse secure,) if for every QPT adversary A = 
(A i,D) we have: 

|Pr [ T>q.Euc(pme) = 1 ] - Pr [ £>Q.Enc(|0)(0| M <g> p E ) = 1 ]| < negl(n) 

where pme <— AA, pe = tr m{pme), Pq.Euc = T>o(EriCk&E) and the probabilities 
are taken over k £- Q.Gen(l") and the internal randomness of Enc, AA, and V. 

Basically, the above definition states that for any QPT adversary A, it must 
be hard to distinguish an encryption of any state pm from an encryption of 
|0)(0| M (where pe is auxiliary information carried between the two parts AA and 
V of A) . Once we add a quantum CPA phase {AA and T> are given oracle access 
to Encfc), Definition C.2 translates to the notion of q-IND-CPA from [BJ15]. 
And, also in [BJ15, Theorem B.2], this notion q-IND-CPA has been shown to 
be equivalent to another notion, q-IND-CPA-2, which considers the case where 
in the above game there are two messages chosen by the adversary, p° and p 1 , 
instead of a single state p and the fixed |0)(0| state. In other words, the q-IND- 
CPA-2 game can then be summarized as follows. 

Definition C.3 (q-IND-CPA-2). A qSKE (Q. Gen, Q. Enc, Q. Dec) is q-IND- 

CPA-2 secure,) if any QPT adversary A having oracle access to Q. Enc^ has 
probability at most negligibly better than guessing of winning the following game: 

1. A generates two plaintext state messages p°,p x £ X and sends them to the 
challenger C; 

2. C flips a random bit b <— {0,1}; 

3. C traces out (discards) p 1-b ; 

4- C encrypts p b to ip <— Q,'Enck(p b ); 

5. A receives back tp from C; 

6. A outputs a bit b', and wins the game iff b = b'. 

Finally, notice that Definition C.3 is equivalent to Definition 3.2 when the 
encryption algorithm Q.Enc is actually a type-(2) unitary operator C/Enc of a 
classical simmetric-key encryption scheme (Gen, Enc, Dec). This concludes the 
proof of Theorem 3.3. □ 
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D Semantic Security with Quantum Advice States 

In Section 4.1 we left open the question of what happens if the messages (and the 
function to be computed about the message) are still classical, but the auxiliary 
advice can be a quantum state. Here we discuss this scenario. 

A possible first approach is the following: Let U^ m be a unitary (the advice 
unitary ) that takes as input a basis element \x) representing a classical m-bit 
message x as well as (if required) an auxiliary register prepared by C and com¬ 
putes a quantum advice state |£ m ). Then we can define the following challenge 
phase and the corresponding notion. 

Quantum-advice SEM challenge phase (qaSEM): A sends C a challenge 
template consisting of: a poly-sized classical circuit S m specifying a distribution 
over m-bit plaintexts x, a classical description of the advice unitary U^ m , and a 
target function f m : {0, l} m —» {0, l}P ol A n ) for an m £ N of As choice. C replies 
with the pair (Encfc(x), |£ m )), where x is sampled according to S m and |£ m ) 
is computed by constructing and evaluating U^ m on |x). As goal is to output 
f m {x). Again, S plays in the reduced game and learns only |£ m ). 

Definition D.l (qaSEM-qCPA). A secret-key encryption scheme is said to 
be qaSEM-qCPA-secure if for every quantum polynomial-time machine A, there 
exists a quantum polynomial-time machine S such that the challenge templates 
produced by S and A are identically distributed and the success probability of A 
winning the qaSEM-qCPA game is negligibly close (in n) to the success proba¬ 
bility of S winning the reduced game. 

At a first glance it might seem as if qaSEM-qCPA is equivalent to SEM- 
qCPA as a security notion because having a classical advice function h(x) is just 
a special case of a quantum advice circuit depending on x. Notice however that 
as we restrict U^ m to be a circuit computing a unitary operator U \x) this notion 
is meaningless because it is trivially achievable by any encryption scheme. The 
reason is that, in this case, both A and S can always apply t/ _1 to |£ m ) to 
recover the message - it is like restricting the classical notion to the case where 
the advice function h is just a permutation chosen by A (resp. S). 

To fix this problem, we have to allow more general quantum circuits U( 
that can somehow provide non-reversible information, for example by applying 
some partial measurement at the end, or by providing A (resp. S) only with 
some output qubits, while C keeps the others. Towards this end let U( be an 
arbitrary quantum circuit (the advice circuit) that takes as input a basis element 
\x) representing a classical m-bit message x, a quantum state p m provided by 
A (resp. S) (that includes possibly needed auxiliary registers), and computes a 
quantum advice state £ m . This leads to the following definition: 

Ideal quantum advice, classical SEM challenge phase (iqSEM): A sends 
C a challenge template consisting of: a poly-sized classical circuit S m specifying 
a distribution over m-bit plaintexts, a classical description of the quantum ad¬ 
vice circuit U( m , a quantum state p m , and a target function f m : {0, l} m —► 


36 


{0, l} pol y( ri ) for an m G N of A'& choice. C replies with the pair (Encfe(x), £ m ), 
where x is sampled according to S m and is computed by constructing and 
executing U M’s goal is to output f m (x). 

The iqSEM-qCPA game is defined by qCPA learning phases and a iqSEM 
challenge phase. This leads to the following definition: 

Definition D.2 (iqSEM-qCPA). A secret-key encryption scheme is said to 
be iqSEM-qCPA-secure if for every quantum polynomial-time machine A, there 
exists a quantum polynomial-time machine S such that the challenge templates 
produced by S and A are identically distributed and the success probability of A 
winning the iqSEM-qCPA game is negligibly close (inn) to the success probability 
of S winning the reduced game. 

This notion turns out to be equivalent to SEM-qCPA (and IND-qCPA). The 
reason is that having a quantum advice state does not really give any additional 
power to A in the case of classical messages and target functions. This can be 
seen from the reduction between IND-qCPA and SEM-qCPA see the proofs of 
Propositions 5.2 and 5.3. In one case, the advice state is only used to pass M’s 
code from the first circuit of S to the second one (which can also be done with 
a quantum advice state), in the other case it is set to a constant function. 

It seems like introducing arbitrary quantum advice circuits (as opposed to 
superpositions of classical advices ) is not meaningful as long as the messages 
are still classical. Consequently, we proceed in Section 4.2 with our search for a 
notion of quantum semantic security considering quantum message states. 
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